diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index 01be02c3c..a9364293d 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -1,11 +1,11 @@ --- name: Build Validation -on: # yamllint disable-line rule:truthy +on: # yamllint disable-line rule:truthy pull_request: branches: - main - - 'feature/**' + - "feature/**" # for each ref (branch/pr) run just the most recent, # cancel other pending/running ones @@ -57,6 +57,11 @@ jobs: with: terraform_version: "1.9.8" + - uses: hashicorp/setup-terraform@v3 + if: ${{ steps.filter.outputs.terraform == 'true' }} + with: + terraform_version: "1.9.8" + - name: Terraform format check if: ${{ steps.filter.outputs.terraform == 'true' }} run: terraform fmt -check -recursive @@ -112,7 +117,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_core.hcl - FILTER_REGEX_INCLUDE: './core/.*' + FILTER_REGEX_INCLUDE: "./core/.*" - name: Workspace Tags if: ${{ steps.filter.outputs.terraform_workspaces == 'true' }} @@ -123,7 +128,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspaces.hcl - FILTER_REGEX_INCLUDE: './templates/workspaces/.*' + FILTER_REGEX_INCLUDE: "./templates/workspaces/.*" - name: Workspace Services Tags if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }} @@ -134,8 +139,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspace_services.hcl - FILTER_REGEX_INCLUDE: './templates/workspaces/.*' - FILTER_REGEX_EXCLUDE: '.*user_resource.*' + FILTER_REGEX_INCLUDE: "./templates/workspaces/.*" + FILTER_REGEX_EXCLUDE: ".*user_resource.*" - name: User Resources Tags if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }} @@ -146,7 +151,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_user_resources.hcl - FILTER_REGEX_INCLUDE: './templates/workspace_services/.*/user_resources/.*' + FILTER_REGEX_INCLUDE: "./templates/workspace_services/.*/user_resources/.*" - name: Shared Services Tags if: ${{ steps.filter.outputs.terraform_shared_services == 'true' }} @@ -157,4 +162,4 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_shared_services.hcl - FILTER_REGEX_INCLUDE: './templates/shared_services/.*' + FILTER_REGEX_INCLUDE: "./templates/shared_services/.*" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2cb40d1fd..92327b53f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -12,13 +12,13 @@ # name: "CodeQL" -on: # yamllint disable-line rule:truthy +on: # yamllint disable-line rule:truthy push: branches: [main] pull_request: branches: [main] schedule: - - cron: '41 3 * * 5' + - cron: "41 3 * * 5" # for each ref (branch/pr) run just the most recent, # cancel other pending/running ones @@ -38,7 +38,7 @@ jobs: strategy: fail-fast: false matrix: - language: ['python', 'java', 'javascript', 'typescript'] + language: ["python", "java", "javascript", "typescript"] steps: - name: Checkout repository diff --git a/CHANGELOG.md b/CHANGELOG.md index e99edc513..6d19e990a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -49,6 +49,7 @@ BUG FIXES: * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222)) * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)]) * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)]) +* Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237)) COMPONENTS: diff --git a/Makefile b/Makefile index 90e768680..58719016b 100644 --- a/Makefile +++ b/Makefile @@ -309,8 +309,10 @@ deploy-shared-service: && ${MAKEFILE_DIR}/devops/scripts/deploy_shared_service.sh $${PROPS} firewall-install: - $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \ - DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service + . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \ + && $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \ + DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service \ + PROPS="$${FIREWALL_SKU+--firewall_sku $${FIREWALL_SKU} }$${FIREWALL_FORCE_TUNNEL_IP+--firewall_force_tunnel_ip $${FIREWALL_FORCE_TUNNEL_IP} }" static-web-upload: $(call target_title, "Uploading to static website") \ diff --git a/config.sample.yaml b/config.sample.yaml index 44777e89a..009f01792 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -10,7 +10,7 @@ management: acr_name: __CHANGE_ME__ # ID of external Key Vault to store CMKs in (only required if enable_cmk_encryption is true) # external_key_store_id: __CHANGE_ME__ - # Name of Key Vault for encryption keys, required only if enable_cmk_encryption is true and not using external_key_store_id + # Name of Key Vault for encryption, required if enable_cmk_encryption is true and external_key_store_id is not set # encryption_kv_name: __CHANGE_ME__ # Azure Resource Manager credentials used for CI/CD pipelines arm_subscription_id: __CHANGE_ME__ @@ -46,6 +46,7 @@ tre: # The TRE Web UI is deployed by default. # Uncomment the following to disable deployment of the Web UI. # deploy_ui: false + # firewall_force_tunnel_ip: __CHANGE_ME__ firewall_sku: Standard app_gateway_sku: Standard_v2 diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md new file mode 100644 index 000000000..68d5886c9 --- /dev/null +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -0,0 +1,21 @@ +# Forced Tunneling to External Firewall in TRE + +Azure TRE deploys and manages an Azure firewall to ensure creation of workspace level rules can be automated when TRE workspaces and other services are created without manual intervention. +It is highly recommended leaving the Azure TRE firewall in place. If there is still the requirement to send all traffic through a centralized enterprise firewall, such as that deployed as part of an Azure landing zone, then forced tunnelling should be used. The centralized firewall will need a superset of rules used by the TRE. + +To setup forced tunneling to an external firewall, follow these steps: + +## 1. Set the firewall_force_tunnel_ip parameter in the config.yaml file +Provide the external firewall's IP address: + +```json +firewall_force_tunnel_ip: 192.168.0.4 +``` +This automatically creates a route table to direct TRE’s traffic to the specified IP. + +## 2. Manually Connect TRE to Your Firewall +Configure connectivity between TRE’s VNet and your external firewall using one of the following methods: + +1. **VNet Peering**: Peer the TRE VNet with your firewall’s VNet. +1. **ExpressRoute**: Use a private connection for firewalls located on-premises. +1. **Site-to-Site VPN**: Establish a VPN connection as an alternative. diff --git a/mkdocs.yml b/mkdocs.yml index d81cd0829..ed2b2c72a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -140,6 +140,7 @@ nav: - Supported Clouds: tre-admins/supported-clouds.md - Customer Managed Keys: tre-admins/customer-managed-keys.md - Custom Domain Name: tre-admins/custom-domain.md + - Firewall Force Tunneling: tre-admins/configure-firewall-force-tunneling.md - Development: # Docs related to the developing code for the AzureTRE - Local Development: using-tre/local-development/local-development.md diff --git a/templates/shared_services/firewall/parameters.json b/templates/shared_services/firewall/parameters.json index 7883f0aa1..6a1df98da 100755 --- a/templates/shared_services/firewall/parameters.json +++ b/templates/shared_services/firewall/parameters.json @@ -63,6 +63,12 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "firewall_force_tunnel_ip", + "source": { + "env": "FIREWALL_FORCE_TUNNEL_IP" + } } ] } diff --git a/templates/shared_services/firewall/porter.yaml b/templates/shared_services/firewall/porter.yaml index d5e7003d1..ffba80504 100644 --- a/templates/shared_services/firewall/porter.yaml +++ b/templates/shared_services/firewall/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-firewall -version: 1.2.8 +version: 1.3.0 description: "An Azure TRE Firewall shared service" dockerfile: Dockerfile.tmpl registry: azuretre @@ -54,6 +54,9 @@ parameters: default: "graph.microsoft.com" - name: arm_environment type: string + - name: firewall_force_tunnel_ip + type: string + default: "" mixins: - terraform: @@ -69,6 +72,7 @@ install: api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } firewall_sku: ${ bundle.parameters.firewall_sku } microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } + firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -87,6 +91,7 @@ upgrade: api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } firewall_sku: ${ bundle.parameters.firewall_sku } microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } + firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -105,6 +110,7 @@ uninstall: api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } firewall_sku: ${ bundle.parameters.firewall_sku } microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } + firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/shared_services/firewall/template_schema.json b/templates/shared_services/firewall/template_schema.json index cd3aab13b..23b0f8a52 100644 --- a/templates/shared_services/firewall/template_schema.json +++ b/templates/shared_services/firewall/template_schema.json @@ -6,111 +6,127 @@ "description": "Provides Firewall shared service", "required": [], "properties": { + "firewall_sku": { + "type": "string", + "title": "Firewall SKU", + "description": "The SKU that will be used when deploying The Firewall.", + "default": "Standard", + "enum": [ + "Basic", + "Standard", + "Premium" + ] + }, + "firewall_force_tunnel_ip": { + "type": "string", + "title": "Force Tunnel IP", + "description": "Optionally specify an IP address to forward all traffic to" + }, "rule_collections": { - "$id": "#properties/rule_collections", - "title": "application rule collections", - "type": "array", - "default": [], + "$id": "#properties/rule_collections", + "title": "application rule collections", + "type": "array", + "default": [], "updateable": true, - "items":{ - "title": "items", - "type": "object", - "required": [ - "name", - "rules" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "my-rule" - ], - "pattern": "^.*$" - }, - "action": { - "title": "action DEPRECATED", - "type": "string", - "examples": [ - "Allow" - ], + "items": { + "title": "items", + "type": "object", + "required": [ + "name", + "rules" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "my-rule" + ], + "pattern": "^.*$" + }, + "action": { + "title": "action DEPRECATED", + "type": "string", + "examples": [ + "Allow" + ], "enum": [ "Allow", "Deny" ] }, - "rules": { - "title": "rules", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "rule 1" - ], - "pattern": "^.*$" - }, - "description": { - "title": "description", - "type": "string", - "default": "", - "examples": [ - "My rule description here" - ], - "pattern": "^.*$" - }, - "protocols": { - "title": "protocols", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "object", - "required": [ - "port", - "type" - ], - "properties": { - "port": { - "title": "port", - "type": "string", - "examples": [ - "1234" - ], - "pattern": "^.*$" - }, - "type": { - "title": "type", - "type": "string", + "rules": { + "title": "rules", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "rule 1" + ], + "pattern": "^.*$" + }, + "description": { + "title": "description", + "type": "string", + "default": "", + "examples": [ + "My rule description here" + ], + "pattern": "^.*$" + }, + "protocols": { + "title": "protocols", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "object", + "required": [ + "port", + "type" + ], + "properties": { + "port": { + "title": "port", + "type": "string", + "examples": [ + "1234" + ], + "pattern": "^.*$" + }, + "type": { + "title": "type", + "type": "string", "enum": [ "Http", "Https", "Mssql" ], - "examples": [ - "Http" - ] - } - } - } - }, + "examples": [ + "Http" + ] + } + } + } + }, "fqdn_tags": { - "title": "fqdn tags", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "enum":[ + "title": "fqdn tags", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "enum": [ "AppServiceEnvironment", "AzureBackup", "AzureKubernetesService", @@ -120,246 +136,246 @@ "WindowsUpdate", "WindowsVirtualDesktop" ], - "examples": [ - "AzureKubernetesService" - ] - } - }, - "target_fqdns": { - "title": "destination fqdns", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "one.two.three.com" - ] - } - }, - "source_addresses": { - "title": "source addresses", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "172.196.0.0" - ] - } - }, + "examples": [ + "AzureKubernetesService" + ] + } + }, + "target_fqdns": { + "title": "destination fqdns", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "one.two.three.com" + ] + } + }, + "source_addresses": { + "title": "source addresses", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "172.196.0.0" + ] + } + }, "source_ip_group_ids": { - "title": "source ip group ids", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_id" - ] - } - }, + "title": "source ip group ids", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_id" + ] + } + }, "source_ip_groups_in_core": { - "title": "source ip group names in core", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "ip_group_name_in_core_resource_group" - ] - } - } - } - } - } - } - } + "title": "source ip group names in core", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "ip_group_name_in_core_resource_group" + ] + } + } + } + } + } + } + } }, "network_rule_collections": { - "$id": "#properties/network_rule_collections", - "title": "network rule collections", - "type": "array", - "default": [], + "$id": "#properties/network_rule_collections", + "title": "network rule collections", + "type": "array", + "default": [], "updateable": true, - "items":{ - "title": "items", - "type": "object", - "required": [ - "name", - "rules" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "my-rule" - ], - "pattern": "^.*$" - }, - "action": { - "title": "action DEPRECATED", - "type": "string", - "examples": [ - "Allow" - ], + "items": { + "title": "items", + "type": "object", + "required": [ + "name", + "rules" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "my-rule" + ], + "pattern": "^.*$" + }, + "action": { + "title": "action DEPRECATED", + "type": "string", + "examples": [ + "Allow" + ], "enum": [ "Allow", "Deny" ] }, - "rules": { - "title": "rules", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "rule 1" - ], - "pattern": "^.{5,80}$" - }, - "description": { - "title": "description DEPRECATED", - "type": "string", - "default": "", - "examples": [ - "My rule description here" - ], - "pattern": "^.*$" - }, - "source_addresses": { - "title": "source addresses", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "172.196.0.0" - ] - } - }, + "rules": { + "title": "rules", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "rule 1" + ], + "pattern": "^.{5,80}$" + }, + "description": { + "title": "description DEPRECATED", + "type": "string", + "default": "", + "examples": [ + "My rule description here" + ], + "pattern": "^.*$" + }, + "source_addresses": { + "title": "source addresses", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "172.196.0.0" + ] + } + }, "source_ip_group_ids": { - "title": "source ip group ids", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_id" - ] - } - }, + "title": "source ip group ids", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_id" + ] + } + }, "source_ip_groups_in_core": { - "title": "source ip group names in core", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_name" - ] - } - }, - "destination_addresses": { - "title": "destination addresses", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "172.196.0.0" - ] - } - }, + "title": "source ip group names in core", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_name" + ] + } + }, + "destination_addresses": { + "title": "destination addresses", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "172.196.0.0" + ] + } + }, "destination_ip_group_ids": { - "title": "destination ip group ids", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_id" - ] - } - }, + "title": "destination ip group ids", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_id" + ] + } + }, "destination_fqdns": { - "title": "destination fqdns", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "one.two.three.com" - ] - } - }, + "title": "destination fqdns", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "one.two.three.com" + ] + } + }, "destination_ports": { - "title": "destination ports", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "80", + "title": "destination ports", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "80", "443", "*" - ] - } - }, - "protocols": { - "title": "protocols", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", + ] + } + }, + "protocols": { + "title": "protocols", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", "enum": [ "Any", "ICMP", "TCP", "UDP" ], - "examples": [ - "TCP" - ] - } - } - } - } - } - } - } + "examples": [ + "TCP" + ] + } + } + } + } + } + } + } } } } diff --git a/templates/shared_services/firewall/terraform/firewall.tf b/templates/shared_services/firewall/terraform/firewall.tf index ae94aecff..6697a359b 100644 --- a/templates/shared_services/firewall/terraform/firewall.tf +++ b/templates/shared_services/firewall/terraform/firewall.tf @@ -15,7 +15,7 @@ moved { } resource "azurerm_public_ip" "fwmanagement" { - count = local.effective_firewall_sku == "Basic" ? 1 : 0 + count = (var.firewall_force_tunnel_ip != "" || local.effective_firewall_sku == "Basic") ? 1 : 0 name = "pip-fw-management-${var.tre_id}" resource_group_name = local.core_resource_group_name location = data.azurerm_resource_group.rg.location @@ -42,7 +42,7 @@ resource "azurerm_firewall" "fw" { } dynamic "management_ip_configuration" { - for_each = local.effective_firewall_sku == "Basic" ? [1] : [] + for_each = (var.firewall_force_tunnel_ip != "" || local.effective_firewall_sku == "Basic") ? [1] : [] content { name = "mgmtconfig" subnet_id = data.azurerm_subnet.firewall_management.id diff --git a/templates/shared_services/firewall/terraform/routetable.tf b/templates/shared_services/firewall/terraform/routetable.tf index f0e4388d9..23202788e 100644 --- a/templates/shared_services/firewall/terraform/routetable.tf +++ b/templates/shared_services/firewall/terraform/routetable.tf @@ -87,3 +87,28 @@ resource "azurerm_subnet_route_table_association" "rt_airlock_events_subnet_asso azurerm_firewall_policy_rule_collection_group.dynamic_application ] } + +resource "azurerm_route_table" "fw_tunnel_rt" { + count = var.firewall_force_tunnel_ip != "" ? 1 : 0 + name = "rt-fw-tunnel-${var.tre_id}" + resource_group_name = local.core_resource_group_name + location = data.azurerm_resource_group.rg.location + bgp_route_propagation_enabled = true + tags = local.tre_shared_service_tags + + lifecycle { ignore_changes = [tags] } + + route { + name = "ForceTunnelRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = var.firewall_force_tunnel_ip + } +} + +resource "azurerm_subnet_route_table_association" "rt_fw_tunnel_subnet_association" { + count = var.firewall_force_tunnel_ip != "" ? 1 : 0 + subnet_id = data.azurerm_subnet.firewall.id + route_table_id = azurerm_route_table.fw_tunnel_rt[0].id +} + diff --git a/templates/shared_services/firewall/terraform/variables.tf b/templates/shared_services/firewall/terraform/variables.tf index a1017e157..1140c25f4 100644 --- a/templates/shared_services/firewall/terraform/variables.tf +++ b/templates/shared_services/firewall/terraform/variables.tf @@ -27,3 +27,8 @@ variable "firewall_sku" { type = string default = "" } + +variable "firewall_force_tunnel_ip" { + type = string + default = "" +}